Social Icon
X

New DFARS Final Rule: What Organizations Must Know

Tego Secure IT Solutions | Cloud, Cybersecurity & IT Services > Blog > Compliance > New DFARS Final Rule: What Organizations Must Know

New DFARS Final Rule: What Organizations Must Know

The Department of Defense has published a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS), integrating CMMC-related contractual mandates into DoD procurements.

Effective 60 days after its publication on September 10, 2025, this rule formally incorporates CMMC obligations into DFARS and applies during a three-year phased rollout, ultimately extending broadly to all contracts involving systems handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), except for purely Commercial-Off-The-Shelf (COTS) items.

There are several key items worth highlighting:

  • The ruling allows conditional CMMC status for Levels 2 and 3 (up to 180 days), while Level 1 requires a Final status for contract eligibility
  • Contracting officers are required to verify that offerors have a current, appropriate‐level CMMC status in SPRS before awarding contracts
  • Offerors and contractors must provide their CMMC Unique Identifiers (UIDs), post assessment results, and affirm continuous compliance via the Supplier Performance Risk System (SPRS). Any changes must be updated throughout the contract lifecycle.
  • Subcontractors must self-report in SPRS by uploading their self-assessment results and annual affirmations of compliance. Prime contractors often must collect these details for verification.

There is a phase-in period within the first three years inwhich CMMC requirements appear only in select contracts designated by program offices. Requirements become standard whenever contractors’ systems handle FCI/CUI (excluding COTS-only contracts) for year 4 and beyond.

How Tego Helps Streamline DFARS & CMMC Compliance

As a Registered Practitioner Organization (RPO), we have consistently urged OSCs not to procrastinate on their compliance journey. Tego helps transform a complex, phased compliance process into a manageable, automated workflow, enhancing accuracy, reducing risk, and preserving team bandwidth. Tego is uniquely positioned to assist organizations in meeting these evolving requirements with efficiency and ease:

Organizations should begin preparing their systems and workflows now, before the rule takes effect in late 2025. The CMMC journey does not end once you receive compliance. You must sustain it throughout contract performance.

We are experiencing a high demand for pre-assessments. Don’t put your contract status at risk by waiting to seek compliance. Contact us today to get started.